It is common for an original equipment manufacturer (OEM) to use a contract manufacturer (CM) to manufacture items of electronic equipment that include a data processing device. The manufacturing process carried out by the CM typically includes populating printed circuit boards with electronic components including the data processing devices, and installing software on the data processing devices.
The software installed on the devices may contain valuable intellectual property. It would be useful for the CM to be able to install the software on the data processing devices but be unable to view the software.
A known problem with the use of CMs is so-called “grey manufacture”, where a CM manufactures more of the items of electronic equipment than have been requested by the OEM, and sells the additional items of electronic equipment for a reduced price with no customer support. This reduces the profit made by the OEM, and can also damage the reputation of the OEM, as the “grey manufactured” items of electronic equipment are likely to be indistinguishable from the items of electronic equipment sold by the OEM.
It is known to use a hardware security module (HSM) to prevent or at least detect grey manufacture, particularly in the field of mobile ‘phone manufacture, where it is important that an international mobile equipment identity (IMEI) of each mobile ‘phone is unique. An HSM is a computer in a tamper-proof or tamper-evident case that uses encryption to maintain a store of available IMEIs and a record of which IMEIs have been issued for use in a mobile ‘phone manufacturing process. An HSM is an extremely expensive piece of equipment, as well as being bulky to transport between an OEM and a CM.
It would be possible to use an HSM to install firmware on data processing devices in a manufacturing process carried out by a CM, so as to enable an OEM to detect any grey manufacture. For the reasons above, however, this would not be practical except for very large production runs.
Public-key or asymmetric cryptography involves generation of mathematically linked public and private keys that make up a key pair. The public key is made available to others by the owner of the key pair and can be used to encrypt plaintext to generate cipher text. Cipher text generated using the public key cannot be decrypted using the public key; it can only be decrypted using the private key, which is kept secret by the owner of the key pair. The private key can also be used to apply a digital signature to data. The public key can be used to verify the digital signature applied to data using the private key as having been applied by the owner of the key pair.